Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    configuring NAT for IPSec (each site is exactly the same..)

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 483 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ethan.103
      last edited by

      Hello!

      I am looking at changing my current VPN setup. Currently, I am using VTI with all traffic flowing through the interface IP address.
      I want to have bidirectional traffic in which I can specify which IP address to talk with specifically on both sides of the tunnel with a few locations.

      Hub - PFSense server running 23.05.1 with networking 10.0.10.0/24 (pfsense on 10.0.10.10/24)

      Site A: primary LAN 172.16.5.0/24
      Site B: Primary LAN 172.16.5.0/24
      Site C: Primary LAN 172.16.5.0/24

      The issue is I am not able to change the subnet of each site and they have the same setup, Is there a way from pfsense to set up NAT so that I can specify different subnets for each location that gets translated to its proper ipsec location.

      For example 10.0.20.0/24 would nat to site A 172.16.5.0/24 ( 10.0.20.100 = 172.16.5.100)
      and site B is 10.0.30.0/24

      any tips or help is very much appriciated.
      Thank you,
      Ethan

      1 Reply Last reply Reply Quote 0
      • AndyRHA
        AndyRH
        last edited by

        First, locate the networking "excerpt" that did this and strongly suggest a career change.

        There is another thread, same problem, 2 sites. This is a path that will cause endless hours of troubleshooting and somethings will never work.

        Seems to me changing the addresses of 2 networks is a 2 - 4 day job and when you are done the network of VPN tunnels will work. Seriously consider evaluating an address change.

        o||||o
        7100-1u

        E 1 Reply Last reply Reply Quote 0
        • E
          ethan.103 @AndyRH
          last edited by

          @AndyRH

          Hello,

          That is definitely on the table, but the site count is closer to 150 if I was honest and I am trying to find a quicker solution to get me by for now as I go through site by site and correct the issue.. This is why I thought BINAT/NAT be the solution but I haven't been able to figure out how to configure it correctly.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @ethan.103
            last edited by

            @ethan-103
            You can do this with BINAT for sure, but this requires a policy-based tunnel.

            With VTI you can configure a NAT 1:1 to achieve this.

            For example 10.0.20.0/24 would nat to site A 172.16.5.0/24 ( 10.0.20.100 = 172.16.5.100)

            For this example you have to add a NAT 1:1 rule to the VTI interface at A, where the "External subnet IP" is 10.0.20.0 and the "Internal IP" is type Network > 172.16.5.0/24.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.